We created a GDPR compliance checklist for clients and decided that this information would be useful to share on our blog for general information. We hope that you find it useful.
There is so much information and misinformation published about GDPR that a simple guide is called for, which outlines the key obligations and actions.
This briefing has been verified using information provided on the Information Commissioner’s website and advice received in person via the ICO small business helpline.
Please note that as well as the GDPR you must also comply with the Privacy and Electronic Communications Regulations (PECR) and any other applicable laws for your industry and jurisdiction.
The disclaimer – Note that this briefing is not intended to construe legal advice or offer comprehensive guidance. We accept no liability as a consequence of noncompliance with relevant legislation.
What is the GDPR?
The General Data Protection Regulation is a regulation in EU law on data protection and privacy for all individuals within the European Union. It was adopted on 27 April 2016. It becomes enforceable from 25 May 2018, after a two-year transition period. (Wikipedia)
The GDPR is an update to the Data Protection Act and works in conjunction with the Privacy and Electronic Communications Regulations. The GDPR broadens the definition of ‘personal data’ to include anything that could identify an individual (e.g. your IP address) and puts the onus on the organisation to ensure that data is collected, stored, processed and used legally and fairly.
The purpose of this guide is not to go into detail on the requirements of the GDPR itself, but provide organisations with practical steps to take to prepare for the introduction of the regulations.
This checklist is a useful guide for your organisation to prepare for GDPR.
The key stages are:
- Inform yourself and raise awareness within your organisation
- Appoint a Data Protection Officer
- Conduct an Information Audit
- Determine the legal basis for your data activities
- Determine processes for new data collection, processing and usage
- Create a record of your processing activities
- Define your organisation’s processes and procedures
1. Inform yourself and raise awareness within your organisation
Educate yourself about the GDPR and your company’s obligations. As there is so much misinformation being created around the GDPR refer to the Information Commissioner’s Office (ICO) website only as a trusted source of information.
Ensure that managers and key stakeholders are aware of GDPR and understand its impact on your operations.
The GDPR applies to all organisations using or processing personal data of EU subjects, whether your organisation operates within the EU or not. It expands the definition of identifiable personal data and the protection of individual’s rights. Personal data applies equally to that of employees, suppliers, customers and website visitors, etc.
The accountability principle in Article 5(2) means that you must be able to demonstrate that you comply with the principles and states explicitly that this is your responsibility. Ignorance is no defence.
2. Appoint a Data Protection Officer
Designate a Data Protection Officer within your organisation who will be responsible for data protection compliance. It is important that they have the seniority and influence to make changes.
Identify if you are a data processor or data controller or both:
Data controller means … a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
Data processor, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
If you operate internationally, determine which data protection supervisory authority you come under.
Whenever a data controller uses a data processor there needs to be a written contract in place. Controllers are liable for their compliance with the GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected. Processors must only act on the documented instructions of a controller. They will, however, have some direct responsibilities under the GDPR and may be subject to fines or other sanctions if they don’t comply.
3. Conduct an Information Audit
(Use our GDPR data audit template)
Document any personal data you hold. Note the new broader definition of personal data.
- How was it collected?
- Do you hold more information than you need?
- Was permission obtained to store/process/market – can you evidence it?
- If permission was not obtained – do you need to obtain it?
- Who do you share it with (incl sharing partial data) eg Google Analytics, suppliers, accountants etc?
- How long do you need to keep it for? You should not keep data longer than necessary. Identify how long data should be held and document your rationale.
4. Determine the legal basis for your data activities
GDPR does not explicitly require opt-in consent for business to business (B2B) marketing activities, but it is required for consumer marketing activity (B2C).
Article 6.1 sets out 6 legal grounds for using personal data clearly which includes opt-in activity. They are:
6(1)(a) – Consent of the data subject
6(1)(b) – Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
6(1)(c) – Processing is necessary for compliance with a legal obligation
6(1)(d) – Processing is necessary to protect the vital interests of a data subject or another person
6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
6(1)(f ) – Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject
You must select one of the legal basis for collecting, processing and using data from those listed above.
For B2C activities you will require consent 6(1)(a) for any sales or marketing activity.
For B2B activities and marketing, 6(1)(f) is of interest as it explains ‘legitimate interest’. Please note that sole traders are considered individuals and therefore consent must be obtained as if they were a consumer.
Before any telephone contact is made check if the recipient is registered with the Telephone Preference Service. If they are registered you must not make unsolicited calls to that number.
5. Determine processes for new data collection, processing and usage
Review how you collect any new data, how you process, store and use it.
- How do you collect it?
- What information are you collecting and what for?
- On what legal basis are you collecting/processing/using the data?
- How is/will permission be obtained to collecting/processing/use the data – can you evidence it?
- Who will you share it with (incl. sharing partial data)?
- How will you store it?
- How long will you retain it?
6. Create a record of your processing activities
(Use our GDPR data audit template)
Identify and document the legal basis for any personal data storing/processing/marketing that your company does.
Identify any ‘special data’ e.g. pollical beliefs, race, religion, children’s ages and, if users are children (assume for the UK as those under 13), gather parental consent for data processing activity.
7. Define your organisation’s processes and procedures
The GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
Ensure your company has documented procedures in place for all individual rights, for instance,
- How would you delete personal data or provide data electronically for a data subject to review or rectify?
- How will you handle requests within a reasonable period of time?
- Do you have the right procedures in place to detect, report and investigate a personal data breach within 72 hours?
More information on GDPR compliance
The primary reference point for all GDPR queries should be the Information Commissioner’s website https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
The ICO also offer a small business helpline which can be reached on 0303 123 1113 option 4
Need help with GDPR compliance?
If you need help ensuring that your organisation is compliant with the GDPR please get in touch and we can help you with your data audit and record of processing activities.